fix: Self-host all external website dependencies#1197
Conversation
|
Thanks for the PR. While we do want to host these files on our website (which we do when we deploy the built site to https://github.com/apache/lucenenet-site, which backs our hosting), we ideally wouldn't be committing the binary files to this repository. Rather, we should have the build scripts download them prior to deploying. Ideally, we would set up some sort of package manager such as npm, bower, etc. to download the versioned packages such as font-awesome to make this process simpler. The build scripts are named Let us know if you need any assistance with any of this (for example if you are unfamiliar with package managers or powershell), and we will do our best to assist. |
|
@NightOwl888 I initially assumed that binary files should be committed to the repository, as the issue description didn’t clearly specify otherwise. I’ll investigate the correct approach and work on implementing it. If I encounter any blockers or am unable to proceed, I’ll reach out for guidance. |
|
I understand your frustration. Often when we scope issues, we don't have all of the requirements (or don't consider all of them) at the time the issue is created. #1185 focused on the Apache policy requirements, not on the technical or legal concerns of our setup. I reviewed this and it seems there is a precedent for how to deal with binary files without committing them to this repo. We host those directly on https://github.com/apache/lucenenet-site and then use absolute URLs to link to them (so they will always appear when building locally).
So, the simplest solution is to open a PR on that repository so we can move the files there. Once the files are there, they will be available at the https://lucenenet.apache.org/ URL (in the same directory structure as the repo). This means you will get credit for 2 separate PRs just for fixing this one issue.
Legal ConcernsAFAIK, we don't have legal permission to host the book images on our website. So, for now, let's leave this out of this fix and continue linking to the broken images until we get that worked out. Unfortunately, there are sometimes conflicting requirements like these that require more time to get through than what should be a "simple" fix, but there is no reason to penalize you for that. If you wish to help us navigate this, then please do by all means. However, it doesn't seem fair to add this as a requirement for this task after you have already submitted a PR. So, when this PR is completed, either we should keep #1185 open to deal with the book images separately, or we should tag this PR with ConclusionSo, to finish up this task:
Please keep any .js and .css files in this repository, as it will make deployment simpler if we do it manually.
|
|
@NightOwl888 Is the https://github.com/apache/lucenenet-site repository intentionally unlicensed? |
Good point. You are right, it should have a If you are so inclined, you may submit a PR. Use the license file from here: https://github.com/apache/lucenenet-codeanalysis-dev/blob/main/LICENSE.txt, but change the beginning of the date range to 2020. |
NightOwl888
added
the
notes:website-or-documentation
NightOwl888
added
the
hacktoberfest-accepted
@NightOwl888 Here is the link: apache/lucenenet-site#57 |
* fix: Self-host all external website dependencies * fix: Resolve CSP violations by self-hosting fonts * fix: Revert images and update fonts to refer lucenenet-site
* fix: Self-host all external website dependencies * fix: Resolve CSP violations by self-hosting fonts * fix: Revert images and update fonts to refer lucenenet-site
Updated [Lucene.Net](https://github.com/apache/lucenenet) from 4.8.0-beta00017 to 4.8.0-beta00018. <details> <summary>Release notes</summary> _Sourced from [Lucene.Net's releases](https://github.com/apache/lucenenet/releases)._ ## 4.8.0-beta00018 > This is a maintenance update that upgrades ICU4N to the latest version, since several serious concurrency and resource loading bugs have been patched since the last Lucene.NET release. <!-- Release notes generated using configuration in .github/release.yml at Lucene.Net_4_8_0_beta00018 --> ## What's Changed ### 🐞 Bug Fixes * FuzzyQuery produces a wrong result when prefix is equal to the term length by @paulirwin in apache/lucenenet#1002 * Validate PatternParser DTDs against expected name by @paulirwin in apache/lucenenet#1358 * Validate file paths for FSDirectory and Replicator by @paulirwin in apache/lucenenet#1357 * Bumped ICU4N to 60.1.0-alpha.440 by @NightOwl888 in apache/lucenenet#1353 * ShingleFilter produces invalid queries by @tohidemyname in apache/lucenenet#946 * Fix SegmentInfos replace doesn't update userData by @tohidemyname in apache/lucenenet#948 ### 🚀 Performance Improvements * SWEEP: Replace J2N's TripleShift call with C# 11's unsigned right shift operator by @paulirwin in apache/lucenenet#1007 ### 🏆 Improvements * Added "Improvements" Category for Release Notes by @NightOwl888 in apache/lucenenet#1015 ### 📄 Website and API Documentation * website/site/.htaccess - bug fix by removing BOM and update to beta0017 redirection by @rclabo in apache/lucenenet#1005 * Updated .htaccess copy and release procedure by @NightOwl888 in apache/lucenenet#1010 * Added GitHub Automation for Release Notes by @NightOwl888 in apache/lucenenet#1011 * fix: Render ASF policy links in static HTML footer by @rbowen in apache/lucenenet#1303 * Fix/apidocs breadcrumb toc asf by @zka26 in apache/lucenenet#1232 * README: fix typo MacOS -> macOS by @jbampton in apache/lucenenet#1179 * Added ASF-required links using drop-down menu and unified navigation by @zka26 in apache/lucenenet#1198 * fix: Self-host all external website dependencies by @mmafrar in apache/lucenenet#1197 * Fix typos by @jbampton in apache/lucenenet#1177 * Replace lucene.testSettings.config references with lucene.testsettings.json by @paulirwin in apache/lucenenet#1035 ## New Contributors * @jbampton made their first contribution in apache/lucenenet#1177 * @mmafrar made their first contribution in apache/lucenenet#1197 * @rbowen made their first contribution in apache/lucenenet#1303 * @tohidemyname made their first contribution in apache/lucenenet#946 * @zka26 made their first contribution in apache/lucenenet#1198 **Full Changelog**: apache/lucenenet@Lucene.Net_4_8_0_beta00017...Lucene.Net_4_8_0_beta00018 Commits viewable in [compare view](apache/lucenenet@Lucene.Net_4_8_0_beta00017...Lucene.Net_4_8_0_beta00018). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…596) Updated [Lucene.Net.QueryParser](https://github.com/apache/lucenenet) from 4.8.0-beta00017 to 4.8.0-beta00018. <details> <summary>Release notes</summary> _Sourced from [Lucene.Net.QueryParser's releases](https://github.com/apache/lucenenet/releases)._ ## 4.8.0-beta00018 > This is a maintenance update that upgrades ICU4N to the latest version, since several serious concurrency and resource loading bugs have been patched since the last Lucene.NET release. <!-- Release notes generated using configuration in .github/release.yml at Lucene.Net_4_8_0_beta00018 --> ## What's Changed ### 🐞 Bug Fixes * FuzzyQuery produces a wrong result when prefix is equal to the term length by @paulirwin in apache/lucenenet#1002 * Validate PatternParser DTDs against expected name by @paulirwin in apache/lucenenet#1358 * Validate file paths for FSDirectory and Replicator by @paulirwin in apache/lucenenet#1357 * Bumped ICU4N to 60.1.0-alpha.440 by @NightOwl888 in apache/lucenenet#1353 * ShingleFilter produces invalid queries by @tohidemyname in apache/lucenenet#946 * Fix SegmentInfos replace doesn't update userData by @tohidemyname in apache/lucenenet#948 ### 🚀 Performance Improvements * SWEEP: Replace J2N's TripleShift call with C# 11's unsigned right shift operator by @paulirwin in apache/lucenenet#1007 ### 🏆 Improvements * Added "Improvements" Category for Release Notes by @NightOwl888 in apache/lucenenet#1015 ### 📄 Website and API Documentation * website/site/.htaccess - bug fix by removing BOM and update to beta0017 redirection by @rclabo in apache/lucenenet#1005 * Updated .htaccess copy and release procedure by @NightOwl888 in apache/lucenenet#1010 * Added GitHub Automation for Release Notes by @NightOwl888 in apache/lucenenet#1011 * fix: Render ASF policy links in static HTML footer by @rbowen in apache/lucenenet#1303 * Fix/apidocs breadcrumb toc asf by @zka26 in apache/lucenenet#1232 * README: fix typo MacOS -> macOS by @jbampton in apache/lucenenet#1179 * Added ASF-required links using drop-down menu and unified navigation by @zka26 in apache/lucenenet#1198 * fix: Self-host all external website dependencies by @mmafrar in apache/lucenenet#1197 * Fix typos by @jbampton in apache/lucenenet#1177 * Replace lucene.testSettings.config references with lucene.testsettings.json by @paulirwin in apache/lucenenet#1035 ## New Contributors * @jbampton made their first contribution in apache/lucenenet#1177 * @mmafrar made their first contribution in apache/lucenenet#1197 * @rbowen made their first contribution in apache/lucenenet#1303 * @tohidemyname made their first contribution in apache/lucenenet#946 * @zka26 made their first contribution in apache/lucenenet#1198 **Full Changelog**: apache/lucenenet@Lucene.Net_4_8_0_beta00017...Lucene.Net_4_8_0_beta00018 Commits viewable in [compare view](apache/lucenenet@Lucene.Net_4_8_0_beta00017...Lucene.Net_4_8_0_beta00018). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 participants
Fix CSP violations by self-hosting external resources
See #1185 (this only does the fonts, we still have the book images to do, but require permission to host them).
Description
External stylesheets and images from domains like cdnjs.cloudflare.com, fonts.googleapis.com, and images-na.ssl-images-amazon.com were blocked due to restrictive Content Security Policy (CSP). All dependencies are now self-hosted to comply with the site's CSP configuration.